Krebs on Security

In-depth security news and investigation

Monster Mac OS X Update

Apple released a software update on Monday that includes fixes for a massive number of security vulnerabilities in Mac OS X and associated software.

The update corrects more than 90 security flaws and weaknesses in a variety of Apple and third-party products included in versions of OS X, such as ClamAV, Firewall, iChat, Mail, PHP and QuickTime.

Updates are available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.2, Mac OS X Server v10.6 through v10.6.2, through Software Update or via Apple Downloads. You might want to schedule the download when you have some time to be away from the computer: Depending on which version you’re downloading, the size of the update may weigh in at more than 750 megabytes.

This entry was posted on Tuesday, March 30th, 2010 at 4:34 pm and is filed under Time to Patch.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

I’m asking serious questions. Why are the “Update packages” so large? Are they like service packs versus other vendors typical smaller monthly updates? If they are like service packs, why are they so large in comparision to other software vendors service packs? Is it because they contain updates for so many apps? If so, I don’t like that because it’s bloat. I don’t want all that junk installed on my base OS. QuickTime alone is bloat, so is Java (Both are included in Mac OS X). Not to mention the security issues either one brings to the table. Is that only an issue when they’re installed on Windows systems and not for Mac OS? May be I’m making a bad assumption based on limited knowledge.

Getting back to the size of the updates, I said yuck because due to their size, it takes longer to download them and I’m assuming longer to install. Not to mention taking up hard drive space, which isn’t really an issue these days with the size of hard drives. But, isn’t this the type of bloat that other vendors get slammed for? Or does Apple get a pass? Again, I’m asking serious questions! May be none of it is an issue and I’m just a thunderhead. ;P

The release was 10.6.3, and yes, roughly, the y in 10.x.y is similar to Windows x SP y, except that Apple ends up having e.g. 10.4.11 and 10.5.9 whereas Microsoft rarely passes SP6. Also keep in mind that while it happens to fix a certain number of vulnerabilities, that isn’t *all* it does: http://support.apple.com/kb/HT4014

Because of the way Apple works, it can make a core change to a private API which results in changes to all of its system apps which use that private API, which can easily result in fairly large updates (I’m not sure how often this happens or if it actually did happen here).

A large portion of any OS these days is printer drivers. I think my OS X 10.6.3 has >1.5gb of printer drivers, and given that one of the things listed as updated was printer drivers, it could easily be the case that a large portion of the download is replacements for those. And since I happen to know that a bunch of the printer drivers cause crashes in certain apps, I’d love for people to be given updated drivers that don’t crash….

Actually MS service packs can easily be >100mb. Service packs are cumulative, in that they generally let you update from any previous base version. I believe that you could go from 10.5.0 to 10.5.9 or from 10.6.0 to 10.6.3. However, software updaters will generally only download what’s necessary which will be smaller than the maximum size if you’re using a more current version of the system.

One thing to keep in mind, Apple uses universal binaries:
The actual 10.6.3 QuickTime Player is 34mb, of which roughly 9mb goes to 18 localizations, 2.4mb to Help content, 19mb for the actual “application”, and I think the rest is basically the user interface (buttons/icons/widgets…).

For comparison, Firefox 3.6.0 is 35mb with only one localization (US English). Firefox is a universal binary, so it would run on 10.5 on a G5 (ppc) or Intel (i386). QuickTime Player is also a universal binary, it will run on Intel (i386) or 64bit Intel (x86_64).

Shipping updates to universal binaries is roughly the equivalent of bundling the updates for 32bit and 64bit versions of Windows (or in the old days including Alpha and Intel binaries [nt4], or Alpha, MIPS, PPC, Sparc and Intel binaries [nt3.5]) in a single download just so that if you move your hard drive to a different computer or otherwise change the processor you can get better performance (or at least a booting computer). MS doesn’t do this, you can’t take a Windows 7 x64 system and stick it into a computer which doesn’t have a x86_64 processor and expect it to turn on (it won’t!), nor can you take an Windows 7 x86 system and expect it to work as Windows 7 x64 if your system happens to support it (it won’t, sadly — and I recently was licensed the x86 version even though my mac was perfectly happy running the x64 version). A similar story applies to localizations. I can at any time change my mac’s system interface Language to Spanish, Chinese, German or Russian. With Windows you had to go out and download a LIP or license a MUI if your variant of Windows even supported it — one LIP / MUI at a time.

FWIW, calling QuickTime bloat is like calling GDI, GDI+, MCI, and DirectX bloat. Your OS needs to be able to load, decode and play Movies.

As for security issues, yes, anything which has to handle complicated file formats has risks, but that’s true for *anything* that has to do it. And in general, it’s better for one guy to get it right than for twenty guys to get it wrong seventeen different ways and require you to get twenty-one updates to “fix” all of their problems. That leads to “update fatigue”, and people not knowing to update half of their apps. MS invented “patch tuesday” (once a month) and Apple uses its roughly quarterly update cycle to address this problem.

In some ways, bigger updates might actually be better for customers. One problem Microsoft and other browser vendors have is that if they make only a small change to their application to fix a “security vulnerability”, then bad guys can compare the before and after to determine what was fixed and then use that to figure out how to attack everyone who hasn’t updated. If the entire application changes (because e.g. a new optimization in the compiler using whole-program-optimization), then at least for a little while, it’s harder for bad guys to figure out what was fixed and how to attack it. — Note that this is controversial and in the end bad guys with enough intelligence / resources will be able to figure out the changes. But there’s a race going on … roughly: can a vendor upgrade (almost) all of its customers before bad guys can identify, produce, and distribute an exploit for those same customers. While a vendor’s customers aren’t being actively exploited, it’s in the customer’s best interest to have enough time to get updated before the bad guys figure out how to attack them.

Given how notoriously bad Sun’s Java updater story has been, Apple’s is in some ways better (even if their updates come 3 months late, at least there was a good chance of them being installed, and users not being left with 10 older jre’s also lying around). I think BK has mentioned that the latest Java update for Windows actually worked (and promptly), and I’m glad to hear it.

Still, as a user, I’d much rather a single place to go to get all of my updates. On OS X, I like being able to go to.. oh, nevermind, I just get told automatically (but System Preferences>Software Update) — my Windows 7 vm generally insists that there’s nothing to update until I ask it twice and wait a while. On Windows, I’d like to use “Windows Update” (and Microsoft recently announced some plan to enable third party updates using it!). On Solaris, I trust “Update Manager” to notify me (and to set up a way for me to be able to safely rollback to the world before the update in case anything goes wrong — http://developers.sun.com/developer/technicalArticles/opensolaris/bootenvironments/). On Linux, sadly, I trust my distribution to botch most of the applications I use regularly as part of its “harmonization” practices, which means that I have the choice of (a) trying to use applications as my distro has broken them and then being embarrassed when I ask the application authors for help only to discover that their application would have worked fine if I was using the genuine application instead of my distro’s “harmonized” variant or (b) manually maintaining and updating my applications so that I know they’ll actually work and so that I can get support from the actual application authors and praying that my distro hasn’t left any hacks which get picked up by the otherwise unadulterated versions.

The automatic update for the PPC 10.5.8 was under 200 MBytes and only took about 15 minutes from start to reboot. I’m waiting for the day Apple stops supporting PPC’s and then OS-X 10.5.x. PPC’s are only about 15% of the Mac G5’s anymore and OS-X 10.5.x users are equally dwindling. Aperture 3 is now Intel chip OS-X 10.6.x, as I read the rumors Adobe CS5 is also. My question for Mr. Krebs is what can one do with a 4-year old PPC G5 after being replaced with a new Intel Mac Pro?

As always with orphaned or planned obsolescence equipment you turn to opensource. Yellowdog linux is PPC ready, for G5 apples the ATI X800 card would have to be replaced or go VNC and / or serial console.

I sincerely doubt whether the Pwn2Own exploits are addressed in the recent update.

Most likely, the pending iPad release caused Apple to flush their codebase, as they do periodically. The second-dot OS releases are always feature+fix, with a companion Security Update release for the current -1 OS version.

This time around, we get a standalone QuickTime update for 10.5 which addresses (the new devices) and things that are fixed in 10.6.3.

BTW, don’t apply the 10.5 QuickTime update over 10.6.3. Badness and recover-from-backup ensue. Trust Software Update to know what’s needed, even if you download it separately.

Has anyone checked to see if this update includes Oracle Sun Java Version 6 Update 19? If not, then does this mean that there are 27 security vulnerabilities that could “theoretically” be leveraged against a Mac OS X system with the latest Apple provided update?

Since Update 19 was *just* released, I seriously doubt whether Apple has included it, though I haven’t been able to check yet.

Apple maintains its own version of Sun’s Java, and consequently ships its own updates at a different time. Unfortunately, this usually is quite a bit later than Sun does (as in 3-6 months later, on average).

To be fair, Nokia and other phone vendors take a long time to update their versions of Flash (which is the closest parallel to Java out there). Sometimes it’s the vendor’s fault, and sometime it’s the fault of the upstream. Typically there’s more than enough blame to go around.

Integration isn’t something that magically just works right each and every time. Especially if you do heavy customization — which Apple certainly does. Every company has to weigh the risk of shipping a bad update which causes their customers to lose faith in them (see the recent antivirus update which caused Windows computers not to boot) against the risk to customers being attacked.

In theory people can use OpenJDK or SoyLatte if they want early access to Oracle Java

Well I think the printer driver list is a bit excessive, 1.x gigs? And you know what happens generally when I get a new printer, Yup, I have to get the drivers anyways…and I’m not speaking of printers from Planet Kronos, these are everyday ones.

Anyhoo, the os updates aren’t half as annoying as the adobe updates. I’m so sick of Adobe updater coming on, every other day it seems and interrupting me. Drives me crazy! Have to shut that off!

And that’s exactly what it does, right in the middle of something it pops up and requests another 500 megs of space for god knows what.